Patch "media: em28xx: initialize refcount before kref_get" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 26 Sep 2022 09:24:32 +0200

This is a note to let you know that I've just added the patch titled

    media: em28xx: initialize refcount before kref_get

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-em28xx-initialize-refcount-before-kref_get.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From c08eadca1bdfa099e20a32f8fa4b52b2f672236d Mon Sep 17 00:00:00 2001
From: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
Date: Sat, 22 Jan 2022 15:44:59 +0800
Subject: media: em28xx: initialize refcount before kref_get

From: Dongliang Mu <mudongliangabcd@xxxxxxxxx>

commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d upstream.

The commit 47677e51e2a4("[media] em28xx: Only deallocate struct
em28xx after finishing all extensions") adds kref_get to many init
functions (e.g., em28xx_audio_init). However, kref_init is called too
late in em28xx_usb_probe, since em28xx_init_dev before will invoke
those init functions and call kref_get function. Then refcount bug
occurs in my local syzkaller instance.

Fix it by moving kref_init before em28xx_init_dev. This issue occurs
not only in dev but also dev->dev_next.

Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions")
Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
[DP: drop changes related to dev->dev_next as second tuner functionality was added in 4.16]
Signed-off-by: Dragos-Marian Panait <dragos.panait@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/media/usb/em28xx/em28xx-cards.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3644,6 +3644,8 @@ static int em28xx_usb_probe(struct usb_i
 		goto err_free;
 	}
 
+	kref_init(&dev->ref);
+
 	dev->devno = nr;
 	dev->model = id->driver_info;
 	dev->alt   = -1;
@@ -3730,8 +3732,6 @@ static int em28xx_usb_probe(struct usb_i
 			dev->dvb_xfer_bulk ? "bulk" : "isoc");
 	}
 
-	kref_init(&dev->ref);
-
 	request_modules(dev);
 
 	/*


Patches currently in stable-queue which might be from mudongliangabcd@xxxxxxxxx are

queue-4.14/media-em28xx-initialize-refcount-before-kref_get.patch






